From 1eda22c2bd6265be78810f64b1b5fb873b4d7866 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 30 Mar 2026 08:34:37 +0000 Subject: [PATCH] fix(warehouse_capacity_dashboard): escaping `warehouse`, `item_code` and `company` on `get_data` (backport #53894) (#53899) * fix(warehouse_capacity_dashboard): escaping `warehouse`, `item_code` and `company` on `get_data` (#53894) (cherry picked from commit ddeb9775ed24b62abe571c404564fddf1eb2e48a) # Conflicts: # erpnext/stock/dashboard/warehouse_capacity_dashboard.py * chore: resolve conflicts --------- Co-authored-by: diptanilsaha --- erpnext/stock/dashboard/warehouse_capacity_dashboard.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/erpnext/stock/dashboard/warehouse_capacity_dashboard.py b/erpnext/stock/dashboard/warehouse_capacity_dashboard.py index 24e0ef11ffa..83e5b1fe642 100644 --- a/erpnext/stock/dashboard/warehouse_capacity_dashboard.py +++ b/erpnext/stock/dashboard/warehouse_capacity_dashboard.py @@ -1,6 +1,6 @@ import frappe from frappe.model.db_query import DatabaseQuery -from frappe.utils import flt, nowdate +from frappe.utils import escape_html, flt, nowdate from erpnext.stock.utils import get_stock_balance @@ -75,6 +75,9 @@ def get_warehouse_capacity_data(filters, start): balance_qty = get_stock_balance(entry.item_code, entry.warehouse, nowdate()) or 0 entry.update( { + "warehouse": escape_html(entry.warehouse), + "item_code": escape_html(entry.item_code), + "company": escape_html(entry.company), "actual_qty": balance_qty, "percent_occupied": flt((flt(balance_qty) / flt(entry.stock_capacity)) * 100, 0), }